PROGRAM PROTECT I OK NEWSLETTER 
MAY, 1985 


WHAT IS A PROGRAM PROTECTION NEWSLETTER? 

It Is a monthly newsletter that will deal with program protection schemes 
of all types. Each month will cover 3 to 5 specific examples of different 
program protection schemes. Some will be very easy schemes, others may be 
very difficult. Some Issues will cover word processors, data bases, 
spread sheets and games. Many different programs will be selected and 
each will be fully explained as to their type of protection. 

Each program example used will be for illustrative purposes only. It Is 
not the Intention of this newsletter to promote or encourage Illegal or 
unauthorized duplication of 'any copyrighted program. UNAUTHORIZED 
DUPLICATION OF A COPYRIGHTED PROGRAM IS ILLEGAL I! 


WHY WOULD AKYBODY NEED A PROGRAM PROTECTION NEWSLETTER? 

Many programs have a very sophisticated protection scheme and can not be 
used on sot?.e disk drives (MSD, 4040, 8050 etc.). Other programs use 
errors on the disk that can be very harmful to the disk drive. Many other 
people just prefer to use one disk for all their programs of one specific 
type (l.e. utilities). 

According to federal copyright law you are allowed to make an ARCHIVAL 
copy of any program that you have purchased. You are also allowed to 
modify your program as long as the modifications are essential to the 
program's operation. Some protection schemes do not allow the program to 
be directly backed up. They may require the use of sophisticated copy 
programs or extensive knowled9 e of MACHINE LANGUAGE to understand. In 
either case the average user may not be able to obtain an archival copy 
of their valued programs. Another group of people just want to know more 
about their computer and its associated components. They want to know how 
programs are protected and how their machine operates. They want to know 
how to modify their own disks and how to protect their own programs. 

Whatever reason you have for wanting to learn about program protection, 
this newsletter Is for you! 

PASS THIS COUPON ON TO YOUR FRIENDS WHO WISH TO LEARN MORE ABOUT PROGRAM 
PROTECTION SCHEMES. BETTER YET, l/SE IT TO RENEW YOUR SUBSCRIPTION FOR THE 
NEXT YEAR, AUG. 85 TO »jyLY 86. ' 


SUBSCRIPTION PRICE $35.00 POST PAID IN U.S. AND CANADA 
($45.00 FOR 1ST CLASS FOREIGN MAIL DELIVERY) 

NAME ___ 

ADDRESS __ 

CITY,ST,ZIP __ 


Renew by August for 
continuous delivery. 
See special renecel 
offer Inside. ' . 


CSK SOFTWARE INC. 

P. 0. BOX 563 
CROWN POUT, IN 46307 
(215) 663-4335 






First off this month, we'd like to congratulate all of you who got April's 
ULTRA LIGHTNING program typed In and running. We hope It was an educational 
experience. The response from the readers we talked to was ve ^. ^® vor ®^* 
Most people had a good laugh and let It go at that. In fact, a lot of People 
said they couldn't wait to spring It on their friends. I suppose there s 
always one old grouch In every crowd, though, and we did have ours. At least 
he wSs only out a little time, since the program was free (and worth every 
Denny). Honestly, I think this example demonstrates the need for a little 
Wealthy skepticism when It comes to software that sounds too good to be true. 
Next time you see an ad for the 'ultimate* In this or that type of ^ software, 
1 hope ULTRA LIGHTNING comes to mind. 


To move on to another subject, we often get letters asking If we'll run a 
particular prbgram In the newl etter' Whl 1 e we are always Interested In your 
suggestions, the sheer volume of software being produced prevents us from 
being able to satisfy even a fraction of these requests. At the same tim ®» 
allows us to be selective about the programs we cover. We try w P c+<ii 

programs whose protection method may have some new 'twist but which is s 
general enough to be applicable to other programs. You may not have noticed, 
but we are also selective when It comes to the companies that produce t e 
programs we run. In fact, we rarely cover the same company, twice. With tne 
way the software market is today, even some good, reputable companies are 
struggling. He have no desire to add to their troubles by helping people 
pirate their whole software line. If a company can't make a decent profit 
from their work, they won't be able to produce the kind of quality software 
we all want to see available for our machines. 


True, one purpose of this newsletter IS to help you make copies of soft ^®: 
but only ARCHIVAL copies of your ORIGINAL programs. Of equal or greate 
Importance '1 s educating~our"‘readers~8boirt HOW -programs are protected, js -a 
way of leading you painlessly Into learning some very fundamental things 
about your Computer. Many readers have said that if it weren t fo 
investigating protected software, they would never have had the incentive to 
learn about nachlne language, disk formats, memory management, etc. as 
protection methods become more sophisticated, we'll be here to elp you eep 
pace. , 


And now you can help each other too. Starting next month, we will begin 
featuring backup procedures submitted by our readers. If you 
investigated a program and discovered how Its protection works, you can share 
this Information with your fellow subscribers and enjoy all the resultant 
fame and glory! We will of course continue to be selective about the items we 
run, so we ask that you submit a short description for our approval before 
you send the detailed procedure. Here's how it works: 


A) Send us a short (1/2 page or less) summary of your procedure, including. 

1. Program name, trademark and/or copyright Information idate ant 
author), and name of software publishing company. 

2. Type of program (adventure game, copy program, etc.) and form ioisk 

cartridge, etc.) . . . . 

3. Short description of the type of protection used (e.g. bad blocks 

duplicated sectors, encryption). 

4. General outline of the procedure used to copy or modify the program 
without going Into detail. Oust try to summarize the steps involve 
as briefly as possible. 

5. Your name, address and phone number(s). 
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B) ‘ On the outside of the envelope, you MUST put the woVds 'NEWSLETTER 

SUBMISSION ’ in order for it to be accepted by our mailroom. 

C) After looking over your summary, we will contact you If we would like to 
run your feature. We'll send you a set of guidelines that we ask you to 
follow In your write-up (see below). 

0) When we receive your write-up, we will review it to make sure it meets 
our expectations. Upon acceptance of your write-up for publication, we 
will send you a check for $50. 

E) In case of multiple submissions covering the same program, we reserve 
the right to select the write-up we feel Is best for the newsletter. 


NEWSLETTER SUBSCRIPTION RENEWALS - SPECIAL OFFER! 

">■ - *■' l ' I "T: Z ’ T'lT * —T-I-- --*- “ 

As you know, all newsletter subscriptions end with the July 1985 Issue. A fev 
Issues ago we discussed some reservations we had about whether we woulc 
continue the newsletter after July. The basic problem Is that we have seen it 

being photocopied and passed around on a wholesale basis. While we feel we 
are providing a valuable service and want to continue It, the newsletter 

requires a lot of our time each month and Is not a tremendously lucrative 
business for us. If you appreciate the service we provide, we ask that yoi 
help us continue it. Don't let nonsubscribers borrow or copy your newsletter. 

With the understanding that most of our readers will do their part, we are 
happy to announce that we are accepting subscriptions for another year. Witt 
Kay already upon us, be sure to get your renewal in soon to insuri 

uninterrupted delivery. The subscription cost for 12 issues is still only $3! 
($45 for foreign - airmail, first class). As an incentive to subscribe, upoi 
receipt of your paid subscription we will send you complete instructions foi 
installing an extra 8K of RAM or EPROM In your disk drive. This extra memor. 
can be used for doing many things which are not possible with your drive noi 
(see 'Hardware Limitations of the 1541* In last month's issue). 

For starters, with the 8K RAM instructions we'll Include a program that read 
an entire track Into memory at one tlEe. This allows you to directly view th 
track at the GCR level and note any duplicate or missing sectors, formattln 
irregularities, etc. With additional programming, 8K of RAM also enables yo 
to write out a whole track at a time, including special formats, errors, etc 
Use it to copy tracks or protect your own software. This memory Is no 
affected by a reset or by normal operation of the drive, so you can 'park 

special-purpose routines such as custom DOS programs there Indefinitely. Yo 
can even burn your own routines Into an EPROM and plug that In Instead of th 
RAM. In fact, adding another 8K of RAK or EPROM Is easily, accomplished one 
the Initial modification Is made. Imagine - 8K of DOS routines on EPROM an 
another 8K. of RAM workspace! 

Installing your extra memory does require modifying the drive by soldering 
few wires, so this is not a project for everyone. We will provide a schematl 
drawing showing all connections to make, Instructions for making th 
modifications and a (short) list of the parts required. All of the part,s ar 
commonly available through electronics suppliers, and CSM will also carr 

them. Although we may make the Instructions available at a reasonable cost 1 
the future, remember that they are FREE NOW with your paid subscription. Th 1 
offer won't last forever, so get your renewal off today. Now, don't everybod 
crowd the mall box! 
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guidelines for newsletter submissions 


A) CONTENT - As explained above, we arc *°\\ J "in^^ectl on^ 09 ™** 
offer an opportunity to learn a new twist In protection. 


which 


a\ cnpvtT - Gfrnerallv we ask that you follow the familiar format now 

B) 1 n R the newsletter! four*write-up*should be ..d. up of fire ports: 


used 


1 . 
2 . 


4 . 


m ayr _ puli nroarara name, copyright and trademark information, 
ym OF PROTECTION - A discrlptlon of the errors or other protection 

3 HOW-TO COPY - Indicate the type of copy program used, such as^ 

minute or nibble copier. Include any r * 

be done, such as creating errors or copying particular sectors. 
sDecIfv copy utilities by brand name unless you know It is nec f ss * 
^SsetSn particular one; If you're In doubt, tell which one you 
used but say that others may wo.rk. If the program oan t be c p . 
qlve some indication of why not, and what you have tried. 

HOW TO MAKE A WORKING COPY WITHOUT PROTECTION - Obvl» 1 COMPLETE 
crucial part. This Is where you describe WHAT to do. Give * COMPLETE, 
STEP-BY-STEP explanation of your procedure. Remember that ev y 
not equally faclllar with machine language, ML monitors, etc. so be 
ISretS lake your directions very specific. One thing we often do s 
give the procedure to another person and see If they can d ° 
without helo. Your procedure should use only commonplace tools 

(monitor. T/S editor, reset button) un,es * ab = °' ut j' R J s ^ eS pJo ) rECnOH 
can assume that your readers hare a copy ofthe PROGRAM PKUittnun 

MANUALS (Vol. I & II) and the accompanying diskettes. ^ . e _ n# , 

EXPLANATION - This 1 i. where you describe HOW the Protection be 

WHY your procedure disables It. While many P r o^ ec * ures . 

explained as they are presented. In some cases engthy explanation 
can get in the way of the step-by-step 'cookbook _ JPP r °“h of ?! 
previous section. If there are points that are worth explo g 
detail, save them for a separate section at the end. 


C) LENGTH - Your write-up should be 1-2 pages long in its final form. Verj 
few programs require more than this. 


fil< 


D) FORM - You must submit your write-up on disk in a word processor . 
compatible with Paperclip (Wordpro, Easyscript and s P e ®^ r !P^ !£! ?od V 
don't use Homeword). For backup, you should also AL (data 

Save your document In the normal manner and ALSO AS A SEQUENTIAL (data 
file if your word processor has that option. Be sure to tell us 
word processor you used. 


E) RIGHTS - All submitted meterlal becomes the property of CSMSoftwen 
Inc., for publication or other use. No materiel will be returned excep 
by special arrangement. 


F) MISC - DO NOT use any copyrighted material in your write up. 

Instance, do not include a dlssaserably listing of part of the or g na 
program. You may of course list any code that you inser or re P J ce in 
the original code. Also, do not send us either the original software o 
any altered copies. 
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The program 1$ THE music PROCESSOR. Sight i Sou nd Music, I nc... Copyright 
1984, K . Peter EngelbrUe. 

TYPE Of PROTECTION: This program will chock for an error 29 on TRACK 11. 
If present, the program will run properly. 

HOW TO COPY: Use any copy program capable of reproducing errors, such as 
OMN1 CLONE. 

HOW TO MAKE A WORKING COPY WITHOUT ANY ERRORS ON THE DISK: 

Last month we provided a review of the “^'‘^^“‘''^“^“"Ms'mSnth 
It cleared up any quest »ns *ou 1 liJSla ™p 9 y of a ^program from memory 
we will concentrate on Jl 1 f11 n_g a routine • Reeember, this procedure 

Our first program requires that we ^fl^^pturl^rthirro" 

SfthS twh.lS!!. «J5 for programs stored under KERNAL RAM 
($EOOO-$FFFF). 

Before we get to the unprotectl on P™£ es ** p 1 ^ S a ^ KERNAL 1 ROK^ 1 In' order 

?rac a c1srt P hrc^e% R ^e; h t e he 0 ^! V « mJ°r change Ihls ’J.i.. to the 
following: 


BASIC RAM $36 
KERNAL RAM $35 
0 PAGE RAM $34 


(BASIC ALSO) 

(KERNAL AND BASIC ALSO) 


To access the code under D Page, we will write a machine \a SSSf?" We^lll 

to transfer the code from 0 PAGE (JOOOO-SDFFF) to J2000-J2FFF. We will 

construct this routine at $1000. 

Load and execute HIMON with SYS49152. Using K 1000 102A, will «»*»]' 
section Of memory that we will use to store our program. Change the values 

to the following: 


.: 1 000 78 A9 34 85 01 A9 00 85 

. r1008 FB 85 FD A9 DO 85 FC A9 ' 

. : 1010 20 85 FE AO 00 B1 FB 91 

.: 1018 FD C8 DO F9 -E6 FC E6 FE 

.: 1020 A5 FC C9 EO DO EF A9 37 

.: 1028 85.01 58 00 00 00 00 00 


Check your program with the following disassembly. 
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1000 78 

1001 A9 34 
1003 85 01 
1005 A9 00 
1007 85 FB 
1009 85 FD 
100B AO DO 
1000 85 FC 
100F A9 20 
1011 85 FE 
1013 AO 00 
1015 B1 FB 
1017 91 FD 

1019 C8 

101 A DO F9 

101C E6 FC 
101E E6 FE 

1020 A5 FC 
1022 C9 EO 
1024 DO EF 
1026 A9 37 
1028 85 01 
102A 58 
1028 00 


SEI 

LDA #$34 
STA $01 
LDA #$00 
STA $FB 
STA $FD 
LDA #$DQ 
STA $FC 
LDA #$20 
STA $FE 
LDY #$00 
LDA ($FB),Y 
STA ($FD).Y 
INY 

BNE $1015 

INC $FC 
INC $FE 
LDA $FC 
CMP #$E0 ‘ 

BNE $1015 
LDA #$37 
STA $01 
CLI 
BRK 


PREVENT IRQ INTERRUPTS 

VALUE REQUIRED TO ACCESS D PAGE RAN 

STORE THE $34 AT ADDRESS $01 

LOAD THE LOW BYTE OF D PAGE AND 2000 

STORE 0 PA6E LOW BYTE HERE (00) 

LOW BYTE $2000 STORED HERE 
SOURCE PAGE HIGH BYTE (D PAGE) 

STORE D PAGE HIGH BYTE HERE 
DESTINATION PAGE HIGH BYTE 
STORE HERE 


TRANSFER LOOP 

H ** L * -i ♦ 

n . 

LOOP BACK TO $1015 UNTIL ALL CODE AT 0 
PAGE HAS BEEN TRANSFERRED 


CHECK $FC FOR END OF D PAGE 
,0NQE AT $E000 END TRANSFER 

SET LOCATION $01 TO NORMAL VALUE 
STORE HERE 
ALLOW INTERRUPTS 


Once you are sure the program is correct, save It to a formatted disk with 
S “0 PAGE TRANSFER 0 ,08,1000,1026. 


The purpose of 
to $2000-$2FFF 
will transfer 
version. Let's 


this programs—to-t^ansf^r-a-copy of t - he code 
. After the transfer, we will tack on a section 
this original code back to D PAGE for our 
get to It! 


under D PAGE 
of code that 
unprotected 


For those who have a copy of the PROTECTION MANUAL II load and run the 
program called "FILL'ER UP°, which Is Included on your program disk. 
This program will fill memory will 99's, which wl11 m&kc It « a ;J er 
locate the program code. The advantage of FILL ER UP 1s § that It will 
fill the memory under the ROMS. If you do not have FILL ER UP, CO 
and execute HIMON with SYS49152. Once executed, fill memory with [0800 
BFFF 99. Exit to BASIC with G FCE2 (SYS64738). Be sure to have a blank, 
formatted disk available for this program. 


2. Load and execute the original program. Once the program gets to the 

menu screen RESET your computer. • 

3. Load and execute HIMON. We will now go after the D PAGE code. Clean-up 

the work space with F 1000 4000 99. • 

4. Load the transfer program from your formatted disk with 

L "D PAGE TRANSFER".08. 


5. Execute the program with G 1000. Using the I command from $2000-$2FFF, 
will reveal the code that occupies the RAM under D PAGE. If you used 
"FILL'ER UP" you will find that the actual code begins at $2800 
($D800). 
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6. We will now tack on a routine to transfer the code at $2000 to D page. 
We will reverse the process we Just used to transfer D PAGE to $2000. 
We will even use the stee program. One* wt change the source and target 
pages, this program will reverse the process. T 1000 102B 3000 will 

make a copy of the original transfer program to $3000. Use the 0 
command at $3000 to check to sec If your transfer worked. We will now 
alter the code at $3000 to change our source and target pages. This 
will require that we change D PAGE references to $2000 and that we 
change the comparison for the end of our code at $3000. Note: we can't 
just load code directly Into D page from the disk. Unlike BASIC and 
KERNAL roes, a store to D page will go to the I/O devices rather than 
RAM (see the chapter on the '6510 AND THE PLA' PPM VOL II). 


Use the 

K command to make 

'* . . 7 - 1 " 

the 

ADDRESS 

ORIGINAL -VALUE ' 

NEW 

M 300C 

DO 

20 

M 3010 

20 

DO 

M 3023 

EO 

30 


Along with changing the target and source pages, we will add a RESET 
Instruction to the new transfer program. Use the M command to add the 
following code at $302B. 

M 302B 4C E2 FC 00 00 00 00 00 

Once the D PAGE code Is loaded and executed with SYS12288, this section 
of code will return us to BASIC through the RESET vector (JMP $FCE2 « 
SYS64738). 


Save out the D PAGE code and the transfer program using 
S "MP D PAGE“,08,2000,302E. 

8. We will now go after the main body of the program. Clean-up the work 
space again with F 0800 C000 99. Exit to BASIC with G FCE2. 

9. Load and run the original program. Once the menu screen Is up, RESET 
your computer. 

10. Load and execute HIMON. Use M 0001 to change the 37 to a 36. This will 
flip out BASIC and allow us access to the code underneath. The program 
extends from $0800 through $A995. Save out the code with 
S M MP MAIN",08,0800,A995. 

11. Now for the entry point. Using the D command, disassemble the code a 
$7D1A fSYS32026r>?Th1s section of code will load the program called 
"START.UP M (C000-CFFF) which Is the menu screen. That’s all there Is 
to it. 


12. File copy all programs beginning with "START.UP" to your formatted 
disk. To execute this program use the following procedure: 


LOAD "MP D PAGE",8,1 
SYS 1 2288 

LOAD "HP MAIN",8,1 
SYS32026 


(RETURN) 

(RETURN) 

(RETURN) 

(RETURN) 


13. YOU'RE DONE! 


PAGE 7 


#5?. 


NEWSLETTER 


I 


MAY 1985 


The program Is BANK STREET MUSICWRITER, Copyright 1985 KIKOSCAPE,INC.. 
Copyright 1 984 by &Ten CTancy. By tht way this Is probably one of the best 
mus1c program for the C-64 that we have secnl 

TYPE OF PROTECTION: This program utilizes non-standard sectors as Its 
protection scheme. An Investigation of TRACK 19 reveals a duplication of 
SECTOR 3 In place of SECTOR 18. You will find non-standard sectors 
explained In greater detail In the Program Protection Manual II. 


HOW TO COPY:'Some of the newer nibble copy programs will copy this disk, 
such as DISKMAKER. 

• r 

HOW TO MAKE A WORK IN6 COPY'WITHOUT ERRORS ON THE DISK: 


We will unprotect this program by lifting a working copy of the program 
from memory. It is faster than tracing through the protection scheme and 
will cut down on the load time. 

1. Load and run “FILL'ER UP“. Have a blank formatted disk available. 

y- . 

2. If you do not have “FILL'ER UP". LOAD and execute HIMON with SYS49152. 
Once executed, fill memory with F 0800 BFFF 99. Exit to BASIC with G 
FCE2 (SYS64738). 

3. Load and execute the original program In the normal manner. Once the 
program Is In memory (l.e. main menu), RESET your computer. 

4. Load and execute HIMON. Using the I command, we find that the program 
— - code—extetrds - from~$0800 _ t"hi*oug-h -$-9-5 E 1 ■ —Save- thi-s— c ode to _ A f0rjHati.e.0. 

disk with S “BANK STREET - ,08,0800,95E1. 

5. With that accomplished, we will now search for the entry point. Using 

the D command at $0800, we find the first meaningful code at $0850. As 

we have explained In the PPM II, a good place to try an entry point Is 
at a JMP Instruction. 

6. Place the original disk In the drive and try the entry point with G 

0850. This section of code loads the program called “SPRITES.BIN - and 

jumps to the routine that displays the menu screen ($08CD). 

7. Use a file copy program to copy "SPRITES.BIN" to your formatted disk. 
You may also wish to copy the programs from SIDE TWO of your original 
disk to your formatted disk. 

8. To utilize the program, L0AD"BANK STREET",8,1. Once in memory, execute 

the program with SYS2128 (HEX $0850), «. . • 

9. YOU'RE DONE! 


i 


NEWSLETTER 


PAGE 8 


MAY 1985 





’The prograc Is vnilR NET WORTH, deyil oged 
1 984, Scarborough Systems live. This 1 
program. 


bv ISA Systems 

s a very good 


Inc .. Copyright 
accounting type 


TYPE OF PROTECTION: This program utilizes bad blocks as ) ts 

scheme. There are a variety of errors on the disk designed BLOCK 

copy procedure. An examination of the boot program (NW) reveals 

READ (B-R) command. The program will store the value It returns 

error channel and utilize It for the proper execution of the program. 


HOW TO COPT: A copy program such as OMNICLONE will make a working .copy of 
this prograe. . 


HOW TO HAKE A WORKING COP.Y WITHOUT ERRORS ON THE DISK: 

As with the previous program, we will lift a working copy from memory. We 
chose this eethod to cut down on load time. Almost 50% savings In load 
time may be obtained by lifting this program fro* memory. Examining the 
boot prograc, we find the entry point In LINE 11 (BASIC). Once the program 
has loaded the program modules and passed the error checking routine, 
will do a SYS 10900. This Is the main menu screen. 

1. If you have "FILL 1 ER UP", load and execute the program. If you do not 
have this program, fill memory through HIKON. Load and c*® cu £| 3 

with SYS49152. Using the F corccand, fill memory with F 0800 9FFF 99. 
With this accomplished, exit to BASIC with G FCE2 (SYS64738). 


2. Load the original program. Once the main menu screen appears, RESET 
your cooputer. 

3. Since the program code does not extend through C Page, HIMON Is still 
In meEory. Re-enter the monitor with SYS49152. 


4. Using the I command at $0800, begin scrolling through memory to locate 

the end of the program code. Remember, we are looking for 99 s. We find 

the end of the program code located at $9C00. 


5 . save out the code to a formatted disk with 

S "YOUR NET WORTH" ,08,0800,9C00. You may now file copy the HELP 
prograes from your original disk to your formatted disk. 

6. To utilize the program LOAD “YOUR NET WORTH",8,1. Once In memory, 
execute the program with SYS10900. Remember this was the entry point 
revealed to us in the boot program. 


7. YOU’RE DONE! 


With the last three programs, we chose to take a working copy from memory. 
The main advantage of this procedure is that we do not have to be 
concerned with tracing the protection scheme. Once in memory, the program 
has passed Its protection and will function normally when the proper entry 
point has been found. In our next program, we cut the load time In half by 
lifting a working copy from memory. 
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The program is PROFESSIONAL TOUR 60LF, Strategic Simulations , Inc., by 
Henry L. Ri chbourg ,' Copyrl girt "1 98^. 

TYPE OF PROTECTION: This program uses bad blocks as Its protection scheme. 
The program Bill check for an error 23 on TRACK 2, SECTOR 15 and an error 
27 on TRACK 3, SECTOR 16. Your disk drive Bill get a real “KICK" out of 
this program. 

HOW TO COPY: Use any copy program capable of duplicating errors or sake a 
copy of the disk and place the errors yourself. 

HOW TO MAKE A WORKING COPY WITHOUT ERRORS OK THE DISK: 

Although this program Is not as intricate as the others, it does 
illustrate an Important concept. 

The program that does the error checking Is “GS“. Since the program Is In 
BASIC, It may be examined easily. We find the BLOCK-READ commands In LINE 
181 and LINE 183. LINES 182 and 183 will act on these values. In the first 
check In LIRE 182, we are checking for a value O than 23." If the value 
returned Is not 23 then “0K“ becomes "NO". We find the same type of 
1nstructlon * 1n line 183. Here a value other than 27 results In a “NO". 
LINE 184 will act on these comparisons. If a “NO" was returned through the 
comparisons, the program will be sent to LINE 185. This section of' code 
will crash the program. If the comparisons do not reveal a "NO", the 
program will be sent to LINE 186 and will execute normally. 

It would sees that the most effective approach would be to delete the 
error checking routine, but there Is a hitch. Since this program contains 
a machine language section, we must keep the program length the same, so 
that the machine language section will reside in Its proper place In 
memory. We discussed this problem last month, but It bears repeating. With 
that in mind, let’s unprotect the program. One last comment about this 
program. The program would not successfully operate by just changing the 
’23’ or ’27' to ’OO’s. Evidently the program checks for the proper error 
number to be present In the BASIC portion of the program. 

1. Copy the original disk with any program that will not produce errors on 
the copy. 

2. LOAD "GS° ,8 

3. Change the "NO" In LINE 182 to a "HO". Now list LINE 183 and change the 
"NO" to "HO". 

4. Save the altered program with SAVE"@0:G$",8. 

* I 

5. You may now load and execute the program In the normal manner. LINE 184 
is checking for a "NO" not a "HO", so the program will be sent to LINE 
186 and will execute properly. 

6. YOU'RE DONE! 


A program of this type seems very simple, but can give you fits if you are 
unaware of the concepts explained here. 
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The program is F-15 STRIKE EAGLE, Copyright 1984 by MicroProse Sof tware. 


TYPE OF PROTECTION: 

The 

disk has 

duplicate 

sectors 1-9 on 

tracks 1-3, 

and 

error 29's on 

track 

35 

. The 

protectlon 

routine uses 

encryptlon 

and 

undocumented 

opcodes 

• 






HOW TO COPY: 

Some of 

the 

newer, 

better 

nybble copiers 

can copy 

thi s 


program. The duplicate sectors oeke It difficult to copy. 
HOW TO MAKE A WORKING COPY WITHOUT ERRORS: 


1) 

Copy the original disk with any copy 

program 

which 

does‘ not 

put 


errors on the backup copy. You may even 

file copy the 

disk If 

you 


prefer. 

Load In HIMOK. Using'the oonHo r » load 
protection routine: L “TITLE.BA 6 ,08; 






3) 

i n 

the 

file 

containing 

the 

4) 

Change memory locations $ 0 Ef0-0EF3 
(encrypted NOP's). 

from 

$ B2 

9D FI 

to $14 

14 14 

5) 

Change locations $0F5D-0F5F frt.re $DE 2F 

FF 

to 

$14 55 

B2 (encrypted 


form of NOP LDA #$40. 


6) Replace the changed file with “@0:TITLE.BA",08,0801,OFFB. 

7) That's it - you're don$! 

This program Is Interesting because It uses a combination of protection 
methods. The file TITLE.BA consists of two parts, a BASIC program to print 
the title screen and an ML section to check the disk protection. The BASIC 
program calls the ML routine with SYS 3416 at line 301. Line 301 is hidden 
from being LIST'ed, using delete characters (see the PPM Vol I for a 
discussion of this technique). To make the line llstable, change the 
deletes ($14) to spaces ($20) with an ML monitor. 

The ML routine makes extensive use of undocumented opcodes. They are used 
Immediately upon entry at $0D58 (= 3416 decimal) to alter the routine so 
that It jumps to $0E28 next. This begins a process which decrypts some of 
the remaining code and executes It. As this code executes, It decrypts 
several disk commands one-by-one and sends them to the drive. First, the 
routine checks track 35, sector 3 for an error 29. This check Is disabled 
by the patch made In step 5 above. Then It loads track 3, sector 3 Into 
the drive and reads the first byte. This byte Is supposed to be a $4C, so 
the patch in step 6 simply replaces the call to CHRIN (Kernal routine at 
$FFCF to get 4 chflrfic$,ji*rfr.Grfi_the drive buffer Into the . accumul ator) with 
NOP LDA #$4C. The $4C fs "then"stored In the computer's memory at $DFFF, In 
the RAM underneath the I/O devices. Later on it Is checked and the program 
crashes if the value isn't correct. 
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‘The decryption process used in this routl . went to 

encrypted section of meaory runs from $0E2D to $0FFB. If you 
examine the orotectlon eethod, you'll have to decrypt this section first. 

Note that the routine still contains some ' und °Uee°the*PPM }ol U Il"fIr 
H^tattpmhlp coDoletelv with a standard eonltor (see the fpk voi ii tot 

2 £.2u of undocumented opcodes). To decrypt a byte, you sl.ply clear the 
carrv flag, add 1 to the byte and excluslve-or (EOR) the result with the 
value $FF? Clearing the carry is necessary each time since the addition 
Instruction automatically adds In the carry flag. Th * \ t so 

code sill decrypt the first 256-byte page of the code. f ” 

that It will decrypt the entire section of code Is left as an exercise ror 

the reader. 


cooo 

LDY 

#$00 

C002 

LDA 

$0E2D,Y 

C005 

CLC 


C006 

ADC 

#$01 

C008 

EOR 

#$FF 

COOA 

STA 

S0E2D.Y 

COOD 

IKY 


COOE 

BKE 

$C002 

C010 

8RK 



$0E2D * starting address 

Clear carry flag 

Add 1 to accumulator 

Excluslve-or 

Replace decrypted byte 


Bv the way, this decryption method Is also self-reverslng, l.e. the exact 
sameroutl1* can be used for both encryption and decryption Thus you can 
decrypt the code, codify It as you wish, and then encrypt It *9 J 1 n ra “ 
the decryption routine. Many of the common, simple encryption methods 
using EOR have this property. See PPM Vol II for an explanation of 
encryption and decryption techniques. 


Xml 


ATTENTION, TREASURE HUNTERS 1S 


Have you ever bought a program and found out that its protection scheme Is 
more Interesting than the program Itself? I know I have. I've got games 
I've never played except when testing to see If the backup procedure 
worked 1 It's like the challenge of breaking the protection scheme Is a 
game In itself. I'll bet you've felt the same way at times. 


Well, how'd you like a real challenge? And one with some added incentive? 

We've been toying with the Idea of a 'pirate's treasure hunt' adventure, 

in which the game is to break the protection scheme! We'.l.l even put a real 
treasure at the end of the hunt: the first person to completely solve the 

. ‘ * y, no gold doubloons). 

buy the disk, so the 
fil1 the disks would 

have his/her solution 

published in the newsletter and reap all that fame and glory too. 


puzzle would receive a substantial cash prize \sorr 
The prize would depend on the number of people who 
more the merrier. To give everyone an equal chance, 
mailed out on the same day. The winner would 


Anticipated price of the disk would be In the $20 range. The prize would 
be at least $250, and the sky's the limit on the maximum amount. If you're 
Interested, drop us a line by May 30th just to let us know (don't send any 
money yet). If the response is good, we'll get to work on It. 
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The program Is SAFEGUARD 64 DEMO, Copyright 1985 Glenco Engineering Inc. 


TYPE OF PROTECTION: This program uses error 22 * s on track 35, sectors 
8-15. These errors are created In a special way which makes them difficult 
to reproduce. The program also uses an Identification nueber which Is 
stored on track 35 sector 7. 

HOW TO COPY: We managed to make & working copy using Di-Sector's 3 minute 
copy program and placing the error 22 1 s on track 35 with their format 
editor. This method was not totally reliable, however. 

HOW TO MAKE A WORKING COPY WITHOUT ERRORS: 

1) Copy the original disk with any copy prograc which does not copy the 
errors. 

2) Load in HIMON or LOMON and execute it. From the monitor, type 
L "DEH0SUPP1",08. 

3) Change location $4Q6A from a $CE to an $FF: type M 406A to display the 
location, type FF over the value displayed and hit return. Actually, 
almost any value other than $CE would work here! 

4) Save out the altered program with S M @0:DEK0SUPP1", 08,3500,4280 

5) You're done - just change one byte and you've bypassed their 
protection! 

SAFEGUARD 64 Is a program protection system. They supply blank disks with 
their errors already on them ($2.85 each) and a routine to check for those 
errors. You then copy your software onto the disks. In your software, you 
call their error-checking routine and examine the values returned to see 
if the disk is an original. They also have an autostart option that will 
check for their protection and then automatically load your program. This 
option also allows you to encrypt your software. 

The protection system Is In two stages. First and foremost are the error 
22' s on track 35. If they are present, a 5 is placed In memory at $4029. 
Then the program retrieves a five-digit ID number from sector 35/7 and 
places It In memory at $CFFB-CFFF. The ID no. may be used in decrypting 
your program. The protection routine Itself is located at $4000-425F. 

I 

Although the protection system Is not very effective, we can still learn 
something from it. Error 22 Is a 'data block not found' ferror. Like most 
bad.block errors, thcrt.are many ways to cause an error 22. In this case, 
rather than just alter the data block Identifier byte (the simplest way), 
they have written some special data there. They either use altered bit 
density or Illegal GCR codes such as $00 bytes. This confuses the read 
circuitry of the drive. The net effect Is that when you try to read the 
block, you get different results each time. This Interesting technique may 
be the basis for several other tough-to-copy programs we've seen which use 
an error 22. The same technique could probably be used to cause other 
types of errors too. 
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To check for a bad block, the program simply reads the block Into the 
computer's memory twice, once at $CD00 and again at $CE00, and then .ounts 
the number of bytes that are different In the two versions. Actually, It 
only counts up to a maximum of 5 bytes difference the 8 P°* s b ?c 
blocks This 'bad byte' count Is kept In location $4029, so that a 5 Is 
placed there when the disk Is an original. The method given above for 
disabling the protection check works very simply. Instead of cjmpaHng the 
first version In memory (at 5CD00-CDFF) with the second (at $CE00-CEFF), 
wa've switched It so the first version Is compared with part of the 
KERNAL. Naturally, they come up with more than four bytes difference! 

The program covered above Is a deao of the protection system. In actual 
practice, the protection chock routine Is located at $CA80-CD20. Tho value 
5 Is returned at location $CAB0, and tho routlno can be defeated by 
changing location $CAFC from a $C6 to an $FF. The ID no. Is returned at 
the same locations, $CFFB-CFFF. 


As software protection goes, this system is very ineffective and easy to 
defeat. It can be copied using the simple procedure given above. Although 

copy. Of course, why 
easy? The code that 
e. No attempt Is made 
undocuaented opcodes. 
Although they don't protect your program, at least they don't destroy your 
drive either: Glenco disables the head rattling before checking for the 
bad block. In fact, they use the same technique that we published In the 

October newsletter. 


it may take several tries, you CAN get a wording 
bother when'dlsabl1ng the protection check Is so 
checks for the bad blocks Is short and fairly slmpl 
tn hide anv of the code through encryption or 


It's important to realize that you would not know how ineffective this 
system Is unless you Investigated It as we did. This brings up a good 

point. When "you let someone el se -protect-^our--sof j tware, - you - are putting 
yourself in their hands. If you can't protect the program yourself, how 
can you properly evaluate their protection method? You can't. You 
have to trust them. About the only thing you have to go by is their 
reputation and experience. I think that's why we've had so many requests 
from people to evaluate their protection system or protect their software 
for them. Because of the number of these requests and the lack of any good 
place to refer them, we have developed a number of protection systems. 

Why more than one system? One reason Is that different products require 
different levels of protection to get the best value for your program 

protection dollar. But the most Important reason Is one that Is often 
overlooked: If a company offers one system to all Its clients, that's 
putting a lot of eggs In one basket. If one egg gets 'cracked', chances 

are they all will. Our advice is: If you need your program protected, 

don't use an 'off-the-shelf' protection scheme. They're .just not worth the 
risk. Bad protection Is worse than none at all, since you've wasted your 
money and been lulled Into a feellngof false security. These systems are 
not worth having at any price. To top It off, the prices they are asking 
would be out of line even if their systems were good. We have yet to see 
ANY of these systems that were worth the money. 


In conclusion, the problem of finding a good protection system has no easy 
answer. Sometimes the best solution Is to design one yourself, If you are 
capable of doing that. Most people aren't, since even good programmers 
don't usually make good 'protectors'. The other alternative is to use a 
commercial system. But remember what we have learned from the SAFEGUARD 
system: If It sounds too good to be true, It probably Is. 
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C64 KLRKAL ROM REVISIONS 


.The Commodore 64 contains two 8K ROMs which hold the oper ing syste* 
routines. These two ROMs ere commonly called BASIC and the KERNAL, although 
the BASIC routines 'spill over' Into part of the KER N AE R0 ** IJf * AS ^ 

Is located at SAOOO-BFFF (40960-49151) In eecory, and the KERKAL Is located 

at SE000-FFFF (57344-65535). 


The C64 has undergone several revisions since It was first Introduced. There 
have been some hardware modifications, but the most important changes have 
been In the operate system. Actually, the BAS C ROM Is Identical In a 1 
versions of the C64, Including the SX64 portable model, so we re really 
talking about changes In the KERNAL. There have been 3 different verslonsof 
the KERNAL In the C64, plus a fourth version In the SX64. This raonth we re 
qolng to 10i)k at the different revisions Commodore has made to the KERNAL. 
Next mony» w£*_1U } ome revisions of your own. 

One way to tell whlch^ROK you have iV to 1 ook on the ROM itself, which Is a 
chip labelled 901227-XX, where XX Is the revision number (this applies to 
the C64 only; you should be able to tell if you have an SX64!). An easier 
way Is to type the following line; PRINT PEEK(65408). This location In the 
KERNAL ($FF80 hex) Is not used by any routines, but Commodore has put a 
different value there In each version. Another less commonly known location 
that serves the same function Is 58540 ($E4AC). These are the ONLY two bytes 
that are different In all four KERNAL versions. The values found there are 
given below (only Commodore knows why these particular values were used!). 


REVISION 

58540 

65408 

-1 

43 

1 70 

- 2 

91“ 

0 

-3 

-IT9 

3~~ 

-57 

179 

sir 


Let's start with the differences between ROMs 1 4 2. More changes were made 
in ROM 2 than in any other ROM. The table below lists the areas which ar« 
different (all locations are given In hex) and a brief explanation of the 
effect of each change. 


LOCATION 
E 1 1 9 - 1 A 

E4AC 

E4AD-B6 

E4DA-DF 

E4E0-EB 

E4EC-FF 

EA0B-0E 

ECCA-B 

E C D 2 ^ 

F428-4C 

F459 

F762-66 

FCFC-FD 

FDDD-F8 


FEC2-D4 
FF08-42 
FF5B-7F 
FF80 
FF81 


CHANGE MADE TO ROM 2 ___ _ 

JSR to special BASIC CHKOUT routine (see E4AD) 

Unused location; see table above 

BASIC CHKOUT; avoids problems PRINTIng to nonexistent device 
Fill color RAM with background color when clearing screen 
Routine to wait only 8.5 secs for C* key on tape load/verify 
PAL (International) RS-232 baud rate timer constants 
JSR to $E4DA patch above Instead of using color white 
Set VIC rasttr Interrupt to line 622 for PAL/NTSC check 
Clear VIC'^1nterrupts for PAL/NTSC check 

Check PAL/NTSC flag and use proper RS-232 baud rate table 
JSR Instead of JMP to RS-232 DATA-SEND-READY error routine 
Use $E4E0 tape wait routine above Instead of waiting forever 
JSR to new CINT routine at $FF5B (see below) 

Set CIA #1 timer A (IRQ timer) based on PAL/NTSC flag 
NTSC (North American) RS-232 baud rate timer constants 
Modified RS-232 timing routines 

Check VIC raster Interrupt and set PAL/NTSC flag accordingly 
Unused location; see table above 

CINT (screen 1n11) vector changed to $FF5B routine above 
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.Most of the changes In ROM 2 are related to the PAL/NTSC check, which allows 
the C64 to detect whether It It on an NTSC (North American) or PAL 
(International) system and adjust the IRQ and RS-232 timing accordingly. One 
other change Is significant - ROM 2 fills color RAM with the background 
color rather than white when clearing the screen. This caused 
Incompatibility problems with software, notably Wordpro, which poked 
characters directly onto the screen without setting their color. Other 
changes Include creating a new BASIC CHKOUT routine to handle PRINT 1ng to 
nonexistent devices correctly, and altering the tape load/verify routine so 
it only waits 8.5 secs for the C» key to be pressed after finding a file. 

ROM 3 Includes all of the features of ROM 2 except that the screen clear 
routine pas modified agal n. ThU t;!pe. col or RAM Is filled with the character 
color In effect when the ‘‘screen' Is cleared. Commodore also fixed the 
Infamous screen editor bug: with ROMs 1 & 2, if you go to the bottom of the 
screen, type 80 characters and then delete the last one, the computer will 
freeze up! A bug in the INPUT routine was also fixed - when the INPUT prompt 
was longer than one line, the prompt was taken as part of the Input. A minor 
RS-232 parity bug was also fixed. The areas changed are given below: 


LOCATION 

rm- 

E4D3-D9 
E4DB-DC 
E57C-90 
E591-99 
E622-23 
EA07-12 
EF94-96 
FF80- 


CHANGE MADE TO ROM 3 _ 

Unused location; see first table 

Reset RS-232 parity when start bit detected 

Fill color RAM with character color when clearing screen 

Screen editor bug patch - JMP to $EA24 to set color RAM addr 

INPUT bug patch - handle long prompts correctly 

JSR to SE591 INPUT routine patch above 

Modified routine to clear screen line 

JMP to $E4D3 RS-232 patch routine above 

Unused 1 ocatl onv—se-e-f-1 r&V- i*b-l-«--- • • - ■ 


The SX64 ROM contains all the features of ROM 3. The major change Is that 
any attempt to use tape results In an 'ILLEGAL DEVICE* error since the, SX 
has no cassette port. The default colors and start-up screen were also 
changed, and the SHIFT-RUN/STOP key was programmed to perfor* a LOAD":*",8 
instead of just LOAD. The areas changed are: 


LOCATION 

E479-93" 

E4AC 

E 535 

E5EF 

E5F4-F5 

ECD9-DA 

F0D8-E6 

F387 

F4B7 

F5F9 

FF80 


CHANGE MADE TO SX64 ROM _ 

Start-up screen changed to °SX-64 BASIC V2... fc 

Unused location; see first table 

Default character color changed to blue (code 06) 

No. characters In SHIFT-RUN/STOP command changed to 15 
Location of SHIFT-RUN/STpP command changed to $F0D8 
Default border color cyan (03); background color white (01) 
SHIFT-RUN/STOP message changed to LOAD":*",8 (CR) RUN (CR) 
Patch OPEN routine to qlve "ILLEGAL DEVICE" error for tape 
Same as above, for LOAD'/VERIFY routine 
Same as above, for SAVE routine 
Unused location; see first table 


This concludes our look at the C64 ROM versions. 
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ALL ITEMS IN STOCK FOR IMMEDIATE SHIPMENT 

PROGRAM PROTECTION KAEUAL FOR THE C-64 (VOLUME II) $34.86 

THIS MANUAL BEGINS WHERE THE FIRST ENDED. COVERS THE LATEST ADVANCES 
IN PROGRAM PROTECTION INCLUDING ENCRYPTION, GCR CODING, UNDOCUMENTED 
OPCODES, ADVANCED CARTRIDGE PROTECTION SCHEMES, AND MUCH MORE. 


1541 DISK DRIVE ALI6KKEKT PROGRAM - KEWII VERSION 2.0 
See Oct. 84 Compute! Gazette for review 

PROGRAM PROTECTION MANUAL FOR THE C-64 (VOLUME I) 

CARDO 5 SLOT EXPAKSIOK BOARD FOR THE C-64 

INCLUDES A RESET BUTTON AND FUU CARTRIDGE SWITCHES 

ADVANCED ML BOOK FOR THE C-64 (ABACUS) 

ANATOMY OF THE 64 
ANATOMY OF THE 1541 
MACHINE LANGUAGE BOOK OF THE 64 
TRICKS AND TIPS FOR THE 64 
1541 MAINTENANCE MANUAL 
INSIDE COMMODORE DOS 


(GOSUB) 

(DATAMOST) 


PROKENADE 

THIS IS THE EPROM PROGRAMMER THAT WE USE HEREll USE IT TO MAKE 
YOUR OWN OPERATING SYSTEM CHIPS, CARTRIDGE PROGRAMS OR A NEW DOS 
FOR THE DISK DRIVE. SOFTWARE INCLUDED ON DISKETTE. 

DATARASE This will erase all U.V. erasable EPROMS 
(2732, 2764, 27128, 27256, etc.) 


44.95 

29.95 
65.00 


19.95 

19.95 

19.95 

14.95 

19.95 

29.95 

19.95 

99.50 


34.95 


PIN 
4K) 

8K OR 

- USE 

- USE 


SOCKET 


BOARDS 0 SOCKETS AND EPROMS: 

PCC2 2 CHIP CARTRIDGE BOARD WITH 2 SOCKETS 
PCC4 4 CHIP BANK SWITCHED CARTRIDGE BOARD W/SOCKETS 
PCYH2 PLASTIC HOUSING FOR ABOVE BOARDS 
LP28 28 PIN SOCKET FOR EPROM 
ZIF28 ZERO INSERTION FORCE 28 
2732 EPROM (USE IN CARTRIDGE 
2764 EPROM (USE IN CARTRIDGE 
27128 EPROM (16 K OK ONE CHIP 
27256 EPROM (32 K ON ONE CHIP 
AD USE THIS ADAPTER WITH 
OR IK THE COMPUTER. 




NEW 


IK DISK DRIVE W/AD) 
IN PCC4) 

IK PCC4) 


THE 27§4 EPROM IK THE DISK DRIVE 


LOW PRICE! 
** 5.95 
19.95 
** 2.50 
.59 
4.75 
5.00 
** 6.00 
** 14.00 
** 18.00 
** 6.95 


CARTRIDGE PACK - NEW!! „. ** 17.50 

INCLUDES A PCC2 2-CHIP BOARD WITH 2 SOCKETS INSTALLED, TWO 2764 
EPROMS AND A PCVH2 PLASTIC CASE. 

HESHOK (R) ML MONITOR OK A CARTRIDGE. 25.00 

This version also Includes a DOS WEDGE and PROMOS (PROMENADE) 
software on the cartridge. 

SINGLE SLOT EXPANSION BOARD • 24.50 

WITH RESET BUTTON AND GAME, EXROK, ENABLE £ POWER SWITCHES. 

XETEC SPI PRINTER INTERFACE 54.95 

DISK DRIVE BELT 10.00 
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